Exhibit  1 


To: 

From: 

Sent 

Subject 


Mon  5/9/2016  10:09:12  PM  (UTC) 

Re:  [tasks]  Clarify  policies  around  platform  scraping  for  politics 


commented:  Let's  keep  this  open.  and  I  are  going  to  put  something  together  that  is  a  more  business  friendly  description  of 
what  we  allow  with  respect  to  third  party  data  collection  and  use.  This  will  serve  as  a  reminder  to  get  that  done, 
changed  the  subscribers.  Added: 


Clarify  policies  around  platform  scraping  for  politics 


RECENT  ACTIVITY 

commented: 

Let's  keep  this  open.  and  I  are  going  to  put  something  togetherthat  is  a  more  business  friendly  description  of  what  we  allow  with  respect  to  third 
party  data  collection  and  use.  This  will  serve  as  a  reminderto  get  that  done. 


changed  the  subscribers.  Added: 


Comment  Close  Unsubscribe  Assign  Add  Subscribers  Tag  Set  Priority  Star 


STATUS 

Open 

PRIORITY 

None 

OWNER 

1 

1 

CREATED 

Sep  22,2015  9:27am  byhjj^Bi^B 

DESCRIPTION 

1 

TT 

i 

Our  team  has  been  spending  a  lot  of  time  lately  attempting  to  clarify  to  clients  in  the  political  space  how  our  policies  apply  to 
pitches  coming  from  vendors  regarding  matching  social  data  to  voter  files.  You'll  recall  TrendPo  using  scraped  engager 
audiences  last  year  to  create  custom  audiences  -  we  suspect  many  of  these  companies  are  doing  similar  types  of  scraping, 
the  largest  and  most  aggressive  on  the  conservative  side  being  Cambridge  Analytica  (http://ca-political.org/what-we-do/),  a 
sketchy  (to  say  the  least)  data  modeling  company  that  has  penetrated  our  market  deeply.  Because  the  frequency  with  which 
this  is  coming  up  has  increased  drastically  in  the  past  few  weeks,  we'd  like  to  work  with  your  team  to  make  sure  we  have 
clear  channels  between  our  teams.  Specifically,  we  need  answers  to  the  following  questions: 

1.  Can  we  develop  template  messaging  to  advise  clients  on  how  our  policies  apply  to  these  types  of  services?  Does  this 
already  exist?  (I  believe  I  remember  enforcement  relying  on  a  few  different  policies  last  year). 

2.  Can  you  help  us  investigate  what  Cambridge  specifically  is  actually  doing? 

3.  One  vendor  offering  beyond  Cambridge  we're  concerned  with  (given  their  prominence  in  the  industry)  is  NationBuilderis 
"Social  Matching,"  on  which  they’ve  pitched  our  clients  and  their  website  simply  says  "Automatically  link  the  emails  in  your 
database  to  Facebook,  Twitter,  Linkedln  and  Klout  profiles,  and  pull  in  social  engagement  activity."  I'm  not  sure  what  that 
means,  and  don't  want  to  inconectly  tell  folks  to  avoid  it,  but  it  is  definitely  being  conflated  in  the  market  with  other  less 
above  board  services.  Can  you  help  clarify  what  they're  actually  doing? 


Please  let  us  know  if  you  need  any  more  information.  Thanks  in  advance! 


TAGS 


platform  policy  politics  oncall 


SUBSCRIBERS 


COMMENT  HISTORY 


Let's  keep  this  open.  and  I  are  going  to  put  something  together  that  is  a  more  business  friendly  description  of  what  we  allow  with  respect  to  third 
party  data  collection  and  use.  This  will  serve  as  a  reminder  to  get  that  done. 

May  9,  2016  3:08pm 


Is  there  anything  else  needed  here,  or  are  we  okay  to  close  out? 

May  6,  2016  9:58am 


FullContact  update:  We've  received  a  response  from  the  FullContact  team  that  they've  taken  the  necessary  steps  from  remove  FB  data  from  their 
product  offering:  "Please  note  that  new  updates  to  FullContacfs  apps  reflecting  these  changes  I  believe  are  still  pending  approval  from  Apple,  but 
should  be  live  shortly." 

Feb  12,  2016  3:38pm 


D|  and  I  spoke  with  FullContact  yesterday.  They  have  agreed  to  remove  any  current  and  stored  data  obtained  from  Facebook  via  our  APIs  from  their 
service,  and  to  remove  any  references  to  Facebook  from  their  site.  They  have  agreed  to  do  this  by  February  13th  (the  deadline  decided  upon  on  the 
call). 

Please  let  me  know  if  we'd  like  to  host  a  similar  call  with  For  America;  I  will  hold  out  on  outreach  until  I  hear  otherwise. 

Jan  28,  2016  1  252pm 


Great,  sent!  (TPS  299056219).  Will  follow  up  with  response. 

Jan  21,  2016  1:17pm 


Let's  do  it.  Thanks,  J^l 

Jan  21,  2016  1225pm 


Thanks,  all!  To  clarify,  I  will  reach  out  to  of  For  America  (page  https://www. facebook. com/ForAmerica/Tfref^s),  as  well 

as  Full  Contact  (app  ID  184998594896953;  contact  address  billing@fullcontact.com)  and  setup  separate  calls  with  both.  Please  confirm  and  I'll  reach 
out  today! 

Jan  21,  2016  1220pm 


To  clarify,  Nation  Builder  didn't  say  ForAmerica  did  anything  wrong.  Instead,  they  indicated  that  ForAmerica  was  the  organization  that  tipped  them  off 
that  Facebook  was  looking  into  them.  At  the  same  time  they  apparently  terminated  any  agreements  they  had  with  Nation  Builder. 

Jan  21,  2016  10:38am 


Hi  C|^^,  Thanks  for  that.  Just  to  circle  back  to  the  original  context  on  this  thread:  the  agency  for  ForAmerica  is  who  actually  filed  the  original  complaint 
on  Nation  Builder  -  sol  find  it  a  bit  strange  (and  potentially  suspicious)  that  Nation  Builder  is  now  pointing  fingers  back  to  ForAmerica  :)  ForAmerica's 
agency  was  concerned  Nation  Builder  was  pitching  violating  products.  At  any  rate,  if  you  would  like  the  individual  who  used  to  work  on  the  ForAmerica 
account  at  the  agency  who  complained  originally  -  it  is  <*■  |^^|^m@CRCPublicRelations.com.  Please  note  he  no  longer  works  on 

this  business  as  ForAmerica  has  taken  it  in  house.  That  said,  I  think  if  you  are  investigating  the  full  scope  of  violations,  is  a  fine  place  to  start  even 
if  not  officially  associated  with  ForAmerica.  On  the  other  hand,  this  is  the  ForAmerica  digital  director  ^^^^^|@foramerica.org.  Please  note  we  have 
no  working  relationship  with  him,  as  we  do  all  their  support  via  their  agency. 

Jan  21,  2016  9:51am 


Hi  Jfj  -  Yes,  let's  set  up  separate  calls.  Let  me  know  if  you  need  my  help  or  if  you  can  handle  that  for  us.  Thank  you  in  advance! 


Everyone  -  Full  Contact  is  a  service  provider  used  by  Nation  Builder.  Full  Contact  is  in  violation  of  our  data  policies.  ForAmerica  was  brought  up  by 
Nation  Builder.  For  America  is  no  longer  a  client  of  Nation  Builder,  and  it  was  For  America  who  told  Nation  Builder  we  were  going  to  be  contacting 
them. 


Jan  15,  2016  2:13pm 


Only  has  context  on  this  as  she  hosted  the  call  with  NationBuilder  while  I  was  out. 

Jan  15,  2016  12:57pm 


Hi  All,  just  wanted  to  echo  -  can  you  tell  us  how  ForAmerica  got  brought  into  the  conversation  most  recently,  and  what  specifically  you'll 

be  approaching  them  about?  We  can  help  point  you  to  the  right  person  to  talk  to  over  there  depending  on  what  you'll  be  asking  them  about. 

Jan  15,  2016  9:26am 


Thanks  forthe  update  C|,  and  for  leading  the  call!  Following  up  now  that  I'm  back  from  PTO- would  you  like  me  to  investigate  and  set  up  calls  with  Full 
Contact  and  the  page  owners  of  For  America?  (Let  me  know  if  you'd  like  me  to  set  up  a  short  sync  for  us  to  catch  up  on  this). 

Jan  14,  2016  10:51pm 


Great,  thanks  for  talking  with  them. 


Question:  did  Nation  Builder  point  to  Full  Contact?  Or  how  did  that  get  surfaced? 


Also  how  was  ForAmerica  broached  in  that  conversation  (or  are  you  mentioning  them  based  on  our  previous  internal  conversations?) 

Jan  8,  2016  3:51pm 


Just  finished  the  call  with  NationBuilder.  They  are  going  to  make  a  few  changes  but  ultimately  I  didn't  surface  major  policy  issues  with  their  service. 
From  this  conversation  we  need  to  broaden  the  investigation  to  another  company  called  Full  Contact,  and  I'd  also  like  to  set  up  a  call  with  the  page 
owner(s)  of  For  America. 

Jan  8,  2016  3:46pm 


I  just  received  a  response  from  ll|  who  put  me  in  contact  with  the  correct  representative  from  the  company  (Kt^^m);  I've  asked  Khj^^  for  his 
availability  for  this  week  and  will  schedule  the  call  with  C^^|as  soon  as  I  receive  a  response. 

Jan  5,  2016  3:57pm 


My  team  is  not  in  contact,  and  I  assume  you  are  still  the  owner  on  the  DevOps  side,  so  perhaps  reply  asking  II  J  who  has  a  call  with,  as  it 

may  be  in  regards  to  a  separate  matter.  Happy  new  year! 

Jan  4,  2016  11:22am 


Update:  I  hadn't  received  an  email  from  II  Joverthe  holidays  so  sent  him  a  follow-up  email,  and  just  received  the  following  response: 


My  understanding  is  that  your  team  has  a  call  scheduled  with  Ll^l 

from  our  Product  Team,  who  I  think  is  better  equipped  to  discuss  our 
relationship  with  Facebookthan  I.  Thanks  for  reaching  out! 

Best, 


Did  anyone  on  this  thread  schedule  this  or  have  context?  If  I'm  no  longer  needed  in  orchestrating  this  please  let  me  know. 

Jan  4,  2016  10:08am 


Thanks  M  |^.  IVe  reached  out  to  II  f  directly  (TPS  292525889). 

Dec  28,  201511:20pm 


II  |  is  more  senior,  so  thafs  probably  better  for  the  purposes  of  this.  E^|  is  person  (who,  we  do  know,  helps  our  clients 

actually  do  the  mechanics  of  connecting  their  apps  to  pages.) 

Dec  27,  2015  9:06pm 


I've  not  yet  received  a  response  from  my  outreach  to  Nation  Builder  via  the  app's  listed  contact  address.  M  I  can  therefore  reach  out  again  via 
one  of  your  direct  contacts  -  is  there  a  preference  for  II  |  or  EE^?  Or  should  I  include  them  both  on  my  outreach? 

Dec  27,  2015  8:51pm 


Yes.  Thank  you! 

Dec  17,  2015  10:19pm 

<<■«« 

Thanks  all.  Yes,  I  found  an  associated  app:  NationBuilder  (126739610711965),  132k  MAP.  The  app  has  passed  review  and  seems  to  be  actively 
pulling  some  data  based  on  my  scuba  data  dive.  The  contact  address  the  developer  has  listed  on  the  app  is  info@nationbuilder.com. 

P|,  should  I  schedule  the  call  for  afterthe  28th? 

Dec  17,  2015  8:39pm 


This  should  come  from  and  I'll  support.  am  I  correct  we  found  an  app  for  them  which  means  we  have  their  dev  email  address  or  am  I 
off?  Just  on  mobile  so  did  not  parse  through  the  task. 

Dec  17,  2015  6:58pm 


oq|  PF 


I  is  the ' 


have  an  email  for  him  off  hand.  SS 


in  the  US  -|^|@n ationbuilder.com.  QC^  RF^^^g  is  their^^^^^^^^^  but  we  don't 
|  is  another^^^^^^^|  person  who  our  clients  have  used  for  support  on  linking  their  app  into 


their  FB  pages| 

Dec  17,  2015  5:20pm 


l@nationbuilder.com. 


5nationbuilder.com 


J  0  do  you  want  to  reach  out  to  them  or  do  you  want  us  to?  My  contact  there  isUL| 
and  he  handles  their  international  accounts  but  could  put  us  in  touch  with  the  right  folks  to  have  the  call  with. 

Dec  17,  2015  5:17pm 

That  would  be  great!  As  mentioned  I've  been  digging  into  Nation  Builder  following  our  call  with  Strategic  Media  21  though  am  struggling  to  fully 
understand  the  app  based  on  online  investigation  alone.  Here's  what  I’ve  found: 


-NationBuilder  (12673961071 1965),  132k  MAP 

-  Passed  review  for  following  permissions  (https://our.cstools.facebook.com/..  ./crow/apps/submission-su.../):  user_events,  publish_actions, 
rsvp_event,  manage_pages 

-Actively  pulling  these  perms:  https://fbur1.com/188631556 

-  In  short  the  app  seems  to  offer  monthly  subscription  services  for  politicians,  nonprofits,  unions,  etc  building  profiles  based  (in  part)  on  information 
pulled  from  the  person's  activity  on  the  client’s  Facebook  Page.  It  then  seems  to  offer  correspondence  services  for  the  client's  'voter  database,' 
including  email  blasts  and  text  messages.  From  the  'Howto  connect  to  FB'  FAQ  page  (http://nationbuilder.eom/how_to_facebook_twitter#facebook): 
'Types  of  Facebook  page  interactions  logged  in  a  nation: 

1.  Someone  comments  on  an  official  post  in  a  Facebook  page 

2.  Someone  creates  a  new  post  on  a  Facebook  page 

3.  Someone  likes  an  official  post  in  a  Facebook  page 

4.  Someone  RSVPs  to  an  event  via  Facebook  -  if  that  Facebook  event  is  connected  to  an  event  in  your  nation. 

The  entire  list  of  people  who  have  liked  the  Facebook  page  cannot  be  added  to  your  people  database.  It  is  also  not  possible  to  access  an  individual 
person's  friends  list  in  a  nation." 


{1740343496196792} 

You  can  "tag"  people  that  like  a  post  on  your  Page  (http://nationbuilder.com/tag_people_who_liked_a_facebook_po  ..  ) 


I  can  continue  to  dig  in,  though  would  potentially  suggest  a  call  wit  the  developer  to  ask  directly  how  they're  using  data  from  Facebook.  CJmentioned 
she  is  on  PTO  until  the  28th  -  if  we  opt  for  a  call,  is  this  something  I  should  schedule  for  afterthe  28th,  oris  the  Nation  Builder  aspect  of  this  high  pri? 


Dec  17,  2015  3:09pm 


Yes  please.  Thanks! 

Dec  17,  2015  12:43pm 


q_/J  if  you  need  a  contact  at  Nation  Builder  we  have  that. 

Dec  17,  2015  12:16pm 


We  are  investigating  Nation  Builder  and  will  reach  out  to  them  for  a  mtg  after  checking  internally  to  see  if  we  have  any  relationship  with  them.  is  on 
point.  We  met  with  Strategic  Media  yesterday  and  from  that  conversation  its  clear  we  need  to  focus  first  on  Nation  Builder. 

Dec  16,  2015  1:43pm 

while  we  sort  out  the  Cambridge  Analytica/Research  use  of  data  question,  can  we  parallel  process  two  other  elements  to  get 
ahead  of  future  issues?  On  Friday,  we  chatted  about  equipping  our  team  with  a  "plain  English"  description  of  what  is  in  and  out  of  bounds  for  data 
matching  in  the  space.  We  often  point  people  to  the  terms,  but  even  having  a  little  more  general  of  a  framework/what  are  the  bright  lines  would  equip  our 
sales  team  in  market  better. 


Also  you  help  us  get  a  review  of  other  potentially  violating  vendors  (also  mentioned  in  the  original  task  here)?  Specifically  Nation  Builder,  who  has 
been  pitching  many  data  matching/enriching  services  using  FB  as  a  component.  This  is  one  such  pitch  email  our  client  received  (the  client  in  question, 
ForAmerica,  did  not  proceed  on  this  since  they  believed  it  to  be  out  of  terms,  which  is  why  they  flagged  this  for  us).  This  was  a  project  that  would 
leverage  Strategic  Media  (whom  I  believe  is  working  on?)  and  Nation  Builder. 

"XXX  will  take  ForAmerica's  community  of  7.6  million  Facebook  likes  and  create  a  database  identifying  people  who  like  ForAmerica  posts  and  in  many 
cases  use  data  matching  to  layer  other  information  points  over  these  individuals,  including  methods  of  contact  and  interests. 

In  order  to  do  this,  XXX  will  first  set  up  an  API  to  gather  data  on  anyone  who  “Likes”  a  post  on  ForAmerica's  page.  Once  a  critical  mass  is  reached, 
XXX  will  match  this  list  against  our  database  of  names,  phone  numbers,  e-mails  and  mailing  addresses  of  82  million  conservatives  and  Christians  and 
their  friends. 


Our  initial  data  gathering  and  matching  run  will  take  place  over  the  two  months  in  October  and  November.  Our  estimates  are  that  this  data  run  would 
generate  a  1.25  -  3  million  person  database  (this  is  an  estimate  and  not  a  guarantee)  that  could  be  broken  down  along  the  following  lines: 
100,000-250,000:  Full  Data  Match-  name,  street  address,  phone  number,  email,  DOB  and  number  of  interactions  with  ForAmerica  (can  be  used  to 
assign  donorvalue  at  later  date) 

150,000  -  300,000:  Partial  Match-  Name,  City,  State,  DOB  (can  be  matched  against  voter  file  to  determine  physical  address  at  a  future  date)  and 
number  of  interactions  with  ForAmerica 

1-2.5  million:  Facebook  Profile-  Name  and  Facebook  ID  of  individual  interacting  with  ForAmerica" 

Dec  16,  2015  11:38am 


Im  happy  to  cover  with  you,  but  up  to  you! 

Dec  11,  2015  5:16pm 


I,  thanks  for  organizing. 


-  Please  include  me  on  all  items  related  to  this  and  I'll  pull  in  folks  as  needed, 
investigation,  etc.  or  can  one  of  you  cover  (with  me)?  Thanks. 

Dec  11,  2015  4:27pm 


-  Do  you  both  need  to  be  involved  in  meetings  / 


Update:  We  are  reaching  out  to  Dr.  Kogan  and  will  schedule  a  call  in  addition  to  asking  for  immediate  responses  over  email.  Please  be  sure  not  to 
contact  Dr.  Kogan  or  discuss  anything  pertaining  to  this  investigation  if  he  contacts  you.  If  he  does  contact  you,  please  put  him  in  touch  with  me 
directly. 


DevOps  team  -  are  and  my  poc  for  this  investigation  or  should  I  include  anyone  else  on  any  rntgs  we  schedule  (want  to  make  sure  I'm 

looping  in  the  right  people)? 

Dec  11,  2015  4:17pm 

Hey  team,  pointed  me  to  this  thread.  Alex  Kogan  was  my  postdoc  supervisor  at  Cambridge,  although  I  left  before  he  founded  GSR.  I  have  a 

cursory  understanding  on  the  basic  principles  behind  GSR's  products  and  data  collection  methods,  if  that  helps.  Feel  free  to  ask  me  anything. 

Dec  11,  2015  3:50pm 


Hi  —  I’m  a  bit  familiar  with  some  of  the  context  around  the  personality  modeling  stuff.  As  I  understand  it,  it’s  inspired  from 

http://www.pnas.org/content/110/15/5802.abstract  which  is  solid  science.  I'm  good  friends  with  the  lead  author  from  that  paper  (Michal  Kosinsky)  and 
he  is  not  happy  about  how  these  guys  are  bringing  his  field  of  research  into  disrepute.  He's  offered  to  chat  with  people  on  our  end  and  to  give  more 
context  if  that  helps,  edit  to  be  clear,  the  datasets  mentioned  in  the  Guardian  article  are  different/collected  differently  to  those  in  the  PNAS  research! 

Dec  11,  2015  3:22pm 

Taking  a  broader  perspective  on  howto  manage  this  moving  forward,  I've  been  in  touch  with  and  team  in  DC  to  see  if  there  is  a  better  way  to 


explain  our  policies  -  not  only  on  the  data  side,  but  also  ensuring  all  political  apps  are  platform  policy  compliant  prior  to  launching.  We've  had  cases 
where  apps  were  restricted  or  disabled  as  a  result  of  violations  and  that*  a  bad  experience  for  everyone  involved.  (Ben  Carson  app  this  week,  White 
House  app  earlier  this  year,  etc.)  We  have  a  more  immediate  concern  here,  but  would  love  to  help  educate. 

Dec  11,  20152:18pm 

Also,  importantly:  according  to  the  Wait,  What  thread  and  also  an  email  from  WV\^  -  it  sounds  like  Facebook  has  worked  with  this  "Aleksandr 

Kogan"  on  research  with  the  Protect  &  Care  team. 

Dec  11,  2015  1:04pm 

The  relevant  part  from  the  Guardian  article  on  the  supposed  connection  between  SCL  and  GSR: 


By  summer  2014,  Kogan’s  company  had  created  an  expansive  and  powerful  dataset.  His  business  partner  boasted  on  Linked  In  that  their  private  outf 
Global  Science  Research  (GSR),  “owns  a  massive  data  pool  of  40+  million  individuals  across  the  United  States  -  for  each  of  whom  we  have  generate 
detailed  characteristic  and  trait  profiles’. 


Documents  show  SCL  agreed  to  a  contract  with  GSR,  whereby  it  would  pay  its  data  collection  costs  in  order  to  improve  “match  rates'  against  SC  L's 
existing  datasets  or  to  enhance  GSR's  algorithm's  ‘national  capacity  to  profile  capacity  of  American  citizens’. 

In  an  email,  Kogan  said  he  was  unable  to  explain  in  detail  where  all  the  data  came  from,  as  he  was  restricted  by  various  confidentiality  agreements.  H 
said  SCL  is  no  longer  a  client. 

He  said  that  while  GSR  often  used  MTurk  for  data  collection,  it  “never  collected  more  than  a  couple  thousand  responses  on  MTurk  for  any  one  project,  or 
even  across  all  projects  for  a  single  client  -  the  vast  majority  of  our  MTurk  data  collection  as  a  company  is  in  the  form  of  surveys  only’.  He  said  GSR  stores 
Facebook  data  anonymously. 

Kogan  explained  that  separate  from  his  university  role,  his  private  company  undertook  various  commercial  ventures  relating  to  data  analysis.  He  said  that 
when  GSR  collect  Facebook  data,  the  terms  detail  the  use  that  information  collected  will  be  put  to  and  make  clear  to  participants  that  they  are  giving  GSR 
full  permission  to  use  the  data  and  user  contribution  for  any  purpose. 

He  said  Cambridge  University  had  “no  knowledge  of  the  clients  or  projects  GSR  had  worked  on”  and  that  GSR  has  never  used  any  data  collected  as  part  o 
his  university  activities. 

Dec  11,  201512:59pm 

Digging  in  more.  /^^  pulled  this  list  of  UIDs  (first  three  are  associated  with  Cambridge  Analytica,  last  one  is  associated  with  GSR): 
https://fburl.com/187082435.  I  tried  to  find  an  obvious  connection  among  the  group,  but  wasn't  able  to  (no  shared  apps,  pages,  etc  among  ALL  four).  This 
means  that  the  Cambridge  Analytica/GSR  connection  remains  unconfirmed. 

With  that  said,  we  found  a  Business  ID  (id:  402996616566868)  for  Cambridge  Analytica  with  one  admin:  The  business  has  a  Page 

with  0  fans:  https://www.intern.facebook.com/cambridgeanalytica/. 

Lastly  (and  most  interestingly),  the  business  is  associated  with  two  other  Pages:  https://www.intem.facebook.com/keepthepromisel/  (a  ted  cruz  page 
that  links  here:  http://www.keepthepromise1.com/about/)  AND  https://www.intern.facebook.com/PCIAA/ (property  casualty  insurers  which  links  here: 
http://www.pciaa.net/about-us/about-pci).  Both  Pages  have  roughly  Ik  likes. 


Dec  11,  2015  12:56pm 


I  just  looked  more  deeply  on  the  GSR  website  and  it  appears  they  *are*  offering  Pll  via  their  API: 


Reveal  new  depths  of  insight  from  your  social  media  data  with  our  API  product,  delivering  the  same  consumer  psychology  insight  provided  by 
BrandAnalyzer  at  the  individual  level. 


"Enrich  Your  Social  Media  Data 

Augment  social  media  data  by  appending  deep  psychological  profiling,  contextualized  brand  preferences,  and  more  accurate  consumer  personas. 


http:/c|obalscienceresearchcom/#brand_analyzerapi 

Dec  11,  2015  12:00pm 


As  mentioned  to  these  are  the  two  new  hires  Cambridge  Analytica  has  made:  AA4^ ! 

5cambridgeanalytica.org: 


YVm  is  | 


l@cambridgeanalytica.org 


https://cambridgea  nalytica.org/./Cambridge-Analytica-| 

Dec  11,  201511:32am 

Regarding  speaking  with  Strategic  Media  21,  as  I  mentioned  I've  been  having  a  back  and  forth  with  Strategic  Media  to  setup  time,  I've  asked  GG^  (the 
contactthere)  to  speak  with  us  next  Tuesday  at  1pm  PST. 

Dec  11,  2015  11:09am 


Unfortunately,  a  full  analysis  of  Cambridge  Analytica  is  challenging,  since  the  site  doesn't  appear  to  be  integrated  with  Facebook  (no  app  id,  Facebook 
Page,  etc).  While  this  is  the  case  today,  in  order  to  have  obtained  Facebook  data,  the  site  must  have  had  some  integration  in  the  past.  Beyond  the 
Guardian  article,  do  you  have  additional  information  about  the  site's  relationship  to  Facebook?  If  the  article  is  true,  then  we  maY 

wantto  have  a  call  to  clarify  the  data  collection  piece.  Again,  I'm  having  trouble  gathering  more  information  than  what's  featured  on  their  site.  Let  me 
know  what  you  think. 

Dec  11,  2015  11:08am 

A  case  study  on  applying  these  methods  for  Hostess:  http://globalscienceresearch.com/blog-promotions-trans-fats 

Dec  11,  2015  10:35am 

Screenshots  of  their  tool  attached. 

Dec  11,  2015  10:20am 

you  can  register  and  see  their  data  here:  http://globalsdenceresearch.eom/./205313./Facebook/Everyone 

Dec  11,  2015  10:14am 

Adding  from  Developer  Policy  Enforcement 

Dec  11,  2015  10:11am 

Here's  a  link  to  Global  Science  Research,  the  "for  profit"  arm  of  CA  mentioned  in  the  article:  http://globalscienceresearch.com/. 


We  had  not  heard  of  this  org  before  the  article.  They  operate  a  product  called  "BrandAnalyzer"'  which  promises  to  "Instantly  access  over  15,000  brand 
reports  with  consumer  psychology  profiles  and  implementation  guides  generated  from  our  social  media  data.  Gain  a  high  level  overview  of  who 
supports  your  brand  (and  your  competitors)." 

Dec  11,  2015  1  0:06am 

CCH  DDH 

Hi  everyone  -  this  is  hi  pri  at  this  point.  This  story  just  ran  in  the  Guardian  and  is  now  prompting  other  media  requests.  We  need  to  sort  this  out  ASAP. 
Thank  you! 

Dec  11,  2015  9:45am 


Ml 


‘  Can  you  expedite  the  review  of  Cambridge  Analytica  or  let  us  know  what  the  next  steps  are?  Unfortunately,  this  firm  is  now  a  PR  issue  as 
this  story  is  on  the  front  page  of  the  Guardian  website  -  http7AMvw.theguardian.com/ .  ./senator-ted-cruz-president-cam ...  ccmom  is  fielding 
comms  policy  requests  and  concerns. 

Dec  11,  2015  9:34am 

Thanks  yes  I  have  been  having  a  back-and-forth  with  the  developer  from  Strategic  Media  attempting  to  set  up  a  time  to  talk,  though  he  has  been 

slow  to  respond  (though  is  responsive)  and  it  has  been  difficult  to  pin  down  a  time,  particularly  given  the  short  week  last  week.  As  is  out  this  week  I  will 
be  setting  up  time  next  week  to  talk.  Thanks  for  following  up! 

Nov  30,  2015  12:36pm 

MH 


Hi  and  ^  did  either  of  you  ever  connect  with  Nation  Builder  or  Strategic  Media?  Would  love  to  know  if  we  were  able  to  learn  if  the  methods 

that  they  sell  their  appending  process  is  considered  within  terms. 


Nov  30,  2015  11:42am 

Yes!  But  not  after  3:30  PT 

Nov  12,  2015  10:05pm 

Thanks!  I  just  heard  back  from  the  developer  and  he  says  that  any  30  minute  timeslot  tomorrow  works.  Does  this  work  for  you?  If  so,  I'll  try  and  get 
something  set  up.  If  not,  please  let  me  know  which  days  work  for  you  next  week  and  I'll  confirm  a  time. 

Nov  12,  2015  9:06pm 

This  week  works.  If  he  gives  a  few  blocks  of  time  I'm  sure  we  can  make  it  work.  Just  you  and  I  are  fine  (unless  wants  to  join).  Thank  you! 

Nov  11,  2015  1:04pm 

The  developer  just  got  back  to  me  noting  he  is  free  anytime  this  week.  Cg,  would  it  work  for  you  if  I  schedule  a  call  for  this  week?  If  so,  is  there  anyone 
else  we  need  to  include  on  our  end? 

Nov  10,  2015  8:59pm 

As  a  follow-up  note,  I've  reached  out  to  Strategic  Media  (TPS  277017911)  via  the  email  address  listed  on  the  app  ID  associated  with  the  strategic 
media  site  (ID  341917549290893).  I  have  asked  for  times  to  talk  next  week  and  will  follow  up  here  when  I  hear  back. 

Oct  29,  2015  12:00pm 

Thanks,  all!  CQ  and  I  synced  offline  about  this  yesterday;  I  will  run  draft  outreach  wording  by  her  before  reaching  out  to  schedule  a  call,  and  will  update 
here  with  details  once  I've  reached  out.  Please  let  me  knowifthere  are  any  questions  or  additional  details  in  the  interim. 

Oct  21,  2015  9:06am 


Awesome,  thanks  and  Jf|.  Really  appreciate  this  as  I  do  suspect  there  is  plenty  of  bad  actor  behavior  going  on  ..  both  Nation  Builder  (who  is 

more  dominant  in  this  space  and  where  the  original  concern/scraping/appending  issues  are)  as  well  as  Strategic  Media  21  are  the  two  to  reach  out  to. 
My  sense  is  that  Nation  Builder  sells  these  services  to  Strategic  Media  21  so  not  sure  how  you  want  to  approach  but  they  are  both  worthy  of  some  direct 
conversation. 

Oct  20, 201 5  1:40pm 

J^-  We'll  need  to  get  on  a  call  with  this  company  b/c  they  appear  to  be  violating  our  data  policies,  although  it  is  hard  to  understand  specifically  what 
they  are  violating  without  having  a  conversation.  Can  you  drive  this  for  us?  I'm  happy  to  support  the  call.  If  you  think  we  can  manage  it  via  email  I  defer 
to  your  team,  but  I  suspect  this  may  be  easier  if  we  talk  this  one  out. 

Oct  20,  2015  11:45am 

],  thanks  for  confirming  this  seems  in  violation.  As  mentioned  there  is  a  lot  of  confusion  in  the  political  space 

about  how  people  useFacebook  to  connect  with  other  offline  sets  of  data.  In  particular,  Strategic  media  21  has  been  exerting  a  good  deal  of  pressure  on 
one  of  our  clients  to  take  advantage  of  this  type  of  appending.  This  client's  agency,  who  does  not  want  to  violate  policy,  is  stuck  in  the  middle  of  knowing 
this  is  happening  and  that  it  is  out  of  policy  -  but  on  the  other  hand,  doesn't  want  to  ruin  their  client  relationship  by  calling  this  other  vendor  out.  We  are 
seeing  more  ofthis  type  of  activity  in  the  political  space,  and  since  a  few  firms  are  now  offering  this  type  of  service,  clients  assume  that  its  acceptable 
since  no  one  has  been  told  otherwise.  How  would  you  recommend  proceeding  here? 

Oct  14,  2015  1:08pm 

The  vendoris  strategic  media  21.  http://www.strategicmedia21.com/ 

Creative  Response  Concepts  is  the  agency  that  represents  ForAmerica  (not  involved  in  pitching  this  at  all  -  they  received  the  below  reactively)  and  is 
uncomfortable  telling  them  to  back  off  without  firm  enforcement  here  given  that  many  of  FA's  peers  are  apparently  utilizing  these  services. 


From  CRC: 


"If  it  is  not  allowed  and  you  all  are  able  to  formally  tell  us,  I  can  get  it  stopped  immediately.  If  it  is  allowed,  I  am  sure  I  have  other  clients  that  will  want  to 
do  it."  They  essentially  want  these  guys  to  be  shut  down  so  they  don't  look  like  they're  telling  their  client  to  play  by  a  different  set  of  rules  from 
everyone  else. 


Is  there  anything  devops  can  do  with  the  information  we  have  provided? 


facebook  |  instagram 

U.S.  Politics  and  Advocacy  |  Washington,  DC 
©  fb.com 

13,  2015  2:24pm 

There  are  likely  a  few  data  policy  violations  here.  They  cant  collect  information  from  public  posts  and  share  that  information  with  any  type  of  data 
broker  (company  XXX  seems  to  operate  in  that  fashion).  We  should  tell  ForAmercia  not  to  proceed,  as  they  (and  any  service  provider  acting  on  their 
behalf)  must  not  collect  and  use  information  from  us  for  this  purpose.  See,  Platform  Policies  (https://devetopers.facebook.com/jDolicy).  Can  you  ensure 
the  client  doesn't  proceed?  Also,  can  you  ask  the  client  to  tell  us  who  the  vendor  is?  We  will  keep  it  confidential  and  thank  them  in  advance. 

Oct  13,  2015  1:00pm 


Hi  All,  we  have  some  new  information  to  share.  Our  client  sent  over  the  following  email  today  referring  to  a  Nationbuilder  project  their  client 
(ForAmerica)  is  moving  forward  with,  but  redacted  the  middle  man  vendor.  However,  this  is  the  person  who  presumably  works  for  that  middle  man 
vendor  that  was  added  to  their  page  as  an  analyst: 


CCC^ 

Email  from  the  client: 


"FYI  -  ForAmerica  is  moving  forward  with  the  Nation  Builder  project.  There  is  a  vendor  in  the  middle  and  this  is  what  they  have  indicated  ForAmerica 
should  end  up  with: 

XXX  will  take  ForAmerica’s  community  of  7.6  million  Facebook  likes  and  create  a  database  identifying  people  who  like  ForAmerica  posts  and  in  many 
cases  use  data  matching  to  layer  other  information  points  over  these  individuals,  including  methods  of  contact  and  interests. 

In  order  to  do  this,  XXX  will  first  set  up  an  API  to  gather  data  on  anyone  who  ‘Likes’  a  post  on  ForAmerica’s  page.  Once  a  critical  mass  is  reached, 
XXX  will  match  this  list  against  our  database  of  names,  phone  numbers,  e-mails  and  mailing  addresses  of  82  million  conservatives  and  Christians  and 
their  friends. 


Our  initial  data  gathering  and  matching  run  will  take  place  over  the  two  months  in  October  and  November.  Our  estimates  are  that  this  data  run  would 
generate  a  1.25  -  3  million  person  database  (this  is  an  estimate  and  not  a  guarantee)  that  could  be  broken  down  along  the  following  lines: 

100,000-250,000:  Full  Data  Match-  name,  street  address,  phone  number,  email,  DOB  and  number  of  interactions  with  ForAmerica  (can  be  used  to 
assign  donorvalue  at  later  date) 

150,000  -  300,000:  Partial  Match-  Name,  City,  State,  DOB  (can  be  matched  against  voter  file  to  determine  physical  address  at  a  future  date)  and 
number  of  interactions  with  ForAmerica 

1-2.5  million:  Facebook  Profile-  Name  and  Facebook  ID  of  individual  interacting  with  ForAmerica 
My  understanding  is  that  they  are  using  Nation  Builder  to  do  everything. 

We've  set  up  one  of  their  folks  as  an  analyst  on  the  FA  Facebook  account.” 

Oct  13,  2015  11:36am 

If s  difficult  to  get  app  ID's  for  these  companies  since  they're  usually  one-off  for  clients  and  they're  not  volunteering  them,  but  I’ll  dig  a  little. 

facebook  |  instagram 

U.S.  Politics  and  Advocacy  |  Washington,  DC 
^^^|@fb.com 

Sep  30,  2015  12:17pm 


To  set  expectations,  we  can't  certifyfapprove  apps  for  compliance,  and  ifs  very  likely  these  companies  are  not  in  violation  of  any  of  ourterms.  What 
may  help  is  if  you  provide  us  with  concrete  examples  of  what  we  understand  the  apps  to  be  doing  that  we  think  may  violate  ourterms,  and  that  can 
help  us  dive  in.  If  we  had  more  resources  we  could  discuss  a  call  with  the  companies  to  get  a  better  understanding,  but  we  should  only  explore  that 
path  if  we  do  see  red  flags. 

Sep  30,  2015  10:48am 


Hi  C^,  I  will  have  to  get  back  to  you  on  the  Cambridge  app  ID,  but  the  NationBuilder  app  id  is:  126739610711965,  which  we  are  also 

very  interested  if  they  are  compliant.  Thanks! 

Sep  30,  2015  6:02am 


Hello,  thanks  for  surfacing  this  very  interesting  question.  To  start:  could  you  provide  App  IDs  and  App  names  for  the  apps  that  are  engaging  in  this 
scraping  of  user  data? 

tl;dr-Need  more  info  before  can  offer  anything  more  definitive;  but  my  hunch  is  that  these  apps'  data-scraping  activity  is  likely  non-compliant  (see 
FPPs  cited  below). 


As  for  the  website  itself,  I  dug  around  a  bit  and  couldn't  find  any  very  salient  red  flags.  However,  in  light  of  our  data-sensrtivity-related  policies,  the 
following  Facebook  Platform  Policies  (FPPs)  come  to  mind: 

FPP3.9  -  Don't  sell,  license,  or  purchase  any  data  obtained  from  us  or  our  services. 

FPP3.10  -  Don't  transfer  any  data  that  you  receive  from  us  (including  anonymous,  aggregate,  or  derived  data)  to  any  ad  network,  data  broker  or  other 
advertising  or  monetization-related  service. 

FPP7.4  -  Request  only  the  data  and  publishing  permissions  your  app  needs. 

There  are  also  more  FPPs  related  to  data  stuff  here:  https ://developers.facebook.corrVpolicy/#data 


As  for  your  questions: 

(1)  I  dont  believe  we  currently  have  any  language/boilerplate  messaging  re:  political  analysis/data-scraping  apps. 

(2)  Please  provide  App  IDs,  I'd  be  happy  to  investigate  their  app's  activity. 

(3)  Without  App  IDs  to  dig  deeper,  I  can't  say  exactly  what  they're  doing,  but  my  initial  hunch  is  that  "automatically  linking  emails  in  your  database  to 
FB  accounts"  would  be  against  our  policies  (whether  for  FPP  or  otherwise),  mainly  because  it  seems  to  access  data  that  isn't  explicitly  being  permitted 
access  by  the  user  (see  FPP7.4  above).  It  also  brings  to  mind  the  following: 

FPP3. 1 1  -  Dont  put  Facebook  data  in  a  search  engine  or  directory,  or  include  web  search  functionality  on  Facebook. 


With  all  the  above-mentionend  FPPs  in  mind,  I  imagine  it  would  be  *very*  difficult  to  engage  in  data-scraping  activity  as  you  described  while  still  being 
compliant  with  FPPs. 


Passing  back  to  i 

Sep  29,  2015  5:38pm 


I]  for  her  thoughts. 


Hi  team  -  I'm  passing  this  to  DevOps  for  initial  review.  They  can  help  investigate  and  from  there  we  can  discuss.  At  a  high  level  it  is  possible  these 
services  comply  with  our  terms,  but  it  is  also  possible  they  do  not.  I'm  happy  to  meet  with  anyone  who  would  like  to  learn  more  about  our  policies  with 
respect  to  data  collection  and  use.  My  calendar  is  up  to  date,  so  dont  hesitate  to  find  time  for  us. 

Sep  29,  2015  8:57am 

Following  upon  H^^|'  task  here  -  we  are  getting  several  pointed  questions  from  the  political  partner  space  around  what  is  in  bounds  versus 
what  is  out  of  bounds.  Many  companies  seem  to  be  on  the  edge-  possibly  over.  Would  it  be  worth  setting  up  a  call  to  chat  through  the  boundaries?  or 
can  you  take  a  look  at  the  cited  examples  and  weigh  in  on  the  methods/tolerance  for  them?  Thank  you! 

Sep  29,  2015  7:16am 


Got  feedback  about  this  email?  Hit  us  up!  Tasks  Feedback 
Customize  your  notifications  at  Email  Settings 


